Vulnerability Disclosure Guidelines

We provide guidelines on how to disclose vulnerabilities to Seam.

July 15, 2022

All technology contains bugs. If you've found a security vulnerability, we'd like to patch it before publication and then acknowledge your contribution. Here we detail a few guidelines for submitting vulnerabilities.

Vulnerability Definition

A security vulnerability is defined as a software bug that would allow an attacker to perform an action in violation of an expressed security policy. A bug that enables escalated access or privilege is a vulnerability. Design flaws and failures to adhere to security best practices may qualify as vulnerabilities. Weaknesses exploiting social engineering are not considered vulnerabilities unless the Seam Team determines otherwise.

Submission Process

If you believe you have found a vulnerability, please submit a Report to security@seam.co. You can encrypt the content of your email using our public AGE key listed on our security page. You may choose to provide a public key as well for us to correspond back with you.

The Report should include a detailed description of your discovery with clear, concise reproducible steps or a working proof-of-concept. If you don't explain the vulnerability in detail, there may be significant delays in the disclosure process.

We will update you with significant events, including when the vulnerability has been validated, or when more information is needed from you.

Remediation & Disclosure Process

Once a vulnerability has been accepted and patched, you may make it public. We believe transparency is in the public's best interest and support this practice.

If our Security Team has evidence of active exploitation or imminent public harm, they may immediately provide remediation details to the public so that users can take protective action. We will still provide credit for your findings.

In rare circumstances, due to complexity and other factors, some vulnerabilities will require longer to remediate. In these cases, we kindly ask that the vulnerability remain non-public to ensure our Team has an adequate amount of time to address a security issue. We operate in good faith and do not seek to discredit your findings.

Public Recognition

You may receive public recognition for your find if:

You are the first person to file a Report for a particular vulnerability,
the vulnerability is confirmed to be a valid security issue, and
you have complied with these guidelines.

If you prefer to remain anonymous, we encourage you to submit under a pseudonym. Star Wars related names and puns are greatly appreciated.

Contact Sales

Sign In

Vulnerability Disclosure Guidelines

Vulnerability Definition

Submission Process

Remediation & Disclosure Process

Public Recognition

API Console

Seam Bridge

Seam Components

Supported Devices

Pricing

Access Control System API

Smart Locks API

Thermostats API

About

Legal

Contact Us

Careers

Blog

Security & Privacy

Open Source

Quick Start

API Documentation

API Status

Get API Keys

Libraries & SDKs

Seam CLI

The Ultimate Guide to Access Control

Best Smartlocks for Airbnb

Best Thermostats for Airbnb

Community Forum

August Locks Guide

Dormakaba Oracode Locks Guide

Igloohome Locks Guide

Kwikset Locks Guide

Lockly Locks Guide

Nuki Locks Guide

Schlage Locks Guide

SmartThings Connected Locks

Tedee Locks Guide

TTLocks Guide

Wyze Locks Guide

Yale Locks Guide

ASSA ABLOY Visionline Guide

Avigilon Access Control Guide

Brivo Access Control Guide

ControlByWeb Guide

4Suites Locks Guide

PTI Security Systems Guide

Salto Locks Guide

2N Intercom Guide

Nest Thermostats Guide

Ecobee Thermostats Guide

Honeywell Thermostats Guide

Minut Sensors Guide

Noiseaware Sensors Guide